ldap google auth

[Alan DeKok]

On Jul 13, 2022, at 4:01 PM, Antonio Cangiano <antoniocangiano76sp at gmail.com> wrote
>> a) the credentials are wrong
> I insert google auto generated identity & password only in
> /etc/freeradius/3.0/mods-enabled/ldap ...

  I don't know what else to say.  There's no magic here.  You configure a DN, etc. in FreeRADIUS, and FreeRADUS gives that to the ldap libraries, which gives it to Google.  There's nothing else to be configured here.

> identity = 'WordySiame'   --> google auto generated user with single quote
> password = pwd --> google auto generated password (just password with
> nothing else)
> They are correct, but I have a doubt.  When in the log say ...
> 
> (5) eap_gtc: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5) eap_gtc:   Auth-Type PAP {
> rlm_ldap (ldap): Reserved connection (1)
> (5) ldap: Login attempt by "antoniocangiano"
> (5) ldap: Using user DN from request
> "uid=antoniocangiano,ou=Users,dc=iissgarrone,dc=edu,dc=it"
> (5) ldap: Waiting for bind result...
> (5) ldap: ERROR: Bind credentials incorrect: Invalid credentials
> (5) ldap: ERROR: Server said: Incorrect password.
> 
> It try to login with "antoniocangiano" (user)...shouldn't try to
> connect with google identity (WordySiame) ?

   Why?  How does FreeRADIUS know that the "antoniocangiano" user is the same as the google identity "WordySiame"?

   FreeRADIUS does what you tell it to do.  The normal situation is when a user "antoniocangiano" logs in that name is used to check LDAP.

   If you want to use a *different* name for checking LDAP, then you have to get that name from somewhere.  Where is the mapping between "antoniocangiano" and "WordySiame" stored?  How does FreeRADIUS find this information?

  FreeRADIUS can't magically know that those two identities are the same.  You know that, but clearly you haven't configured FreeRADIUS with that information.

  Alan DeKok.